Forbes‘ technology writer Andy Greenberg reports that at the Defcon Security Conference yesterday, an individual named Chet Uber appeared with revelations about the case of accused WikiLeaks leaker Bradley Manning and government informant Adrian Lamo. These revelations are both remarkable in their own right and, more important, highlight some extremely significant, under-examined developments unrelated to that case. This is a somewhat complex story and it raises even more complex issues, but it is extremely worthwhile to examine.
Uber is the Executive Director of a highly secretive group called Project Vigilant, which, as Greenberg writes, “monitors the traffic of 12 regional Internet service providers” and “hands much of that information to federal agencies.” More on that in a minute. Uber revealed yesterday that Lamo, the hacker who turned in Manning to the federal government for allegedly confessing to being the WikiLeaks leaker, was a “volunteer analyst” for Project Vigilant; that it was Uber who directed Lamo to federal authorities to inform on Manning by using his contacts to put Lamo in touch with the “highest level people in the government” at “three letter agencies”; and, according to a Wired report this morning, it was Uber who strongly pressured Lamo to inform by telling him (falsely) that he’d likely be arrested if he failed to turn over to federal agents everything he received from Manning.
So, while Lamo has repeatedly denied (including in his interview with me) that he ever worked with federal authorities, it turns out that he was a “volunteer analyst” for an entity which collects private Internet data in order to process it and turn it over to the Federal Government. That makes the whole Manning case all the more strange: Manning not only abruptly contacted a disreputable hacker out of the blue and confessed to major crimes over the Interent, but the hacker he arbitrarily chose just happened to be an “analyst” for a group that monitors on a massive scale the private Internet activities of American citizens in order to inform on them to U.S. law enforcement agencies (on a side note, if you want to judge what Adrian Lamo is, watch him in this amazing BBC interview; I’ve never seen someone behave quite like him on television before).
In terms of what they mean for the Manning case, those revelations require a lot more analysis, but I want to focus on the much more important aspect of these revelations: namely, what Project Vigilant does as well as the booming private domestic espionage industry of which they are a part. There’s very little public information about this organization, but what they essentially are is some sort of vigilante group that collects vast amount of private data about the Internet activities of millions of citizens, processes that data into usable form, and then literally turns it over to the U.S. Government, claiming its motive is to help the Government detect Terrorists and other criminals. From the Forbes report:
According to Uber, one of Project Vigilant’s manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can “develop portfolios on any name, screen name or IP address.”
They’re tracking 250 million IP addresses a day, compiling dossiers, and then turning them over to federal agencies — with the ability to link that information to “any name.” As this June, 2010 article from the Examiner — one of the very few ever written about the group — put it:
Project Vigilant has been operating in near total secrecy for over a decade, monitoring potential domestic terrorist activity and tracking various criminal activities on the Web. In a series of exclusive interviews with some of the group’s leaders, it’s clear that the people doing this work are among the most sophisticated and experienced experts in today’s rapidly moving world of Internet security.
In case you doubt the seriousness of this group, consider the list of its officials, which includes Mark Rasch, who headed the DOJ’s Internet Crime Unit for 9 years; Kevin Manson, a retired Homeland Security official; George Johnson, who “develop[ed] secure tools for the exchange of sensitive information between federal agencies” for the Pentagon; Ira Winkler, a former NSA official; and Suzanne Gorman, former security chief of the New York Stock Exchange. These are people with extensive, sophisticated expertise in compiling highly invasive data about individuals’ Internet activities, and more so — given their background — how to package it in a way that can be used by federal agencies.
* * * * *
Project Vigilant is but one manifestation of a booming and unaccountable industry: groups which collect vast amounts of highly informative data about American citizens — particularly their Internet activities — and then sell it or otherwise furnish it to the U.S. Government. A separate Examiner article described how Project Vigilant is funded by BBHC Global, a highly secretive “information security firm” — see if you can find any information about it — whose Managing Director, Steven Ruhe, drapes himself in the same creepy, vigilante-patriot language as the group which he funds:
In the fight against terror, the U.S needs all the help it can get, even if that assistance comes from unpaid volunteers. For the past 14 years, a significant volunteer group of U.S. citizens has been operating in near total secrecy to monitor and report illegal or potentially harmful activity on the Web.
Flying “under the radar” and carefully discouraging any press coverage that focused on the group, Project Vigilant has quietly operated in the eddies and whirlpools of Internet research, feeding tips and warnings to federal, state and military agencies. The group claims over 500 current members, although their names and identities are still mostly secret. Their members comprise some of the most knowledgeable experts in the field of information security today and include current employees of the U.S. government, law enforcement and the military. . . .
The group’s collaboration with the U.S. Government is handled through another highly secure web portal which supports protected email, chat and other features.
Project Vigilant is funded by BBHC Global, an information security firm based in the Midwest, and private donations. Uber’s boss is Steven Ruhe, the Managing Member of BBHC Global. “I’ve always been a small town guy with big dreams,” said Ruhe who was born and raised in Nebraska and sells Amway products on the side. “This work is for a really good cause.”
Project Vigilant is organized and run on a structure not unlike that of the military. Uber himself will serve only two more years in his “tour of duty” as the Project’s Director and then another member will take his place.
“This is the most rewarding thing I’ve ever done in my life,” said Uber. “I’m helping keep our country safer.”
Uber told Computer World that he decided to divulge his group’s role in directing Lamo to turn into an informant because he thought that Lamo’s patriotic act was being unfairly disparaged.
What’s really going on here is that the ability to construct dossiers on citizens’ Internet activities has increased dramatically over the last several years, as increasing parts of citizens’ private lives take place online. Put another way — and this isn’t news — online privacy has all but evaporated. Virtually every step anyone takes online — from the websites they visit to the transactions they engage in — are not only now stored and tracked by multiple companies, but are then compiled and made available to a wide variety of groups. As a Wall St. Journal article from this weekend documents, the original impetus for this comprehensive tracking was a commercial one: the more websites and advertisers know about you, the more they can make use of that knowledge, from auctioning you to various advertisers, selling the data about you, and catering messages and ads to your profile. As the ACLU’s long-time privacy expert Chris Calabrese told me this morning, “virtually every step you take online is now tracked by numerous mechanisms and instantly processed.”
But it’s the re-packaging and transfer of this data to the U.S. Government — combined with the ability to link it not only to your online identity (IP address), but also your offline identity (name) — that has made this industry particularly pernicious. There are serious obstacles that impede the Government’s ability to create these electronic dossiers themselves. It requires both huge resources and expertise. Various statutes enacted in the mid-1970s — such as the Privacy Act of 1974 — impose transparency requirements and other forms of accountability on programs whereby the Government collects data on citizens. And the fact that much of the data about you ends up in the hands of private corporations can create further obstacles, because the tools which the Government has to compel private companies to turn over this information is limited (the fact that the FBI is sometimes unable to obtain your “transactional” Internet data without a court order — i.e., whom you email, who emails you, what Google searches you enter, and what websites you visit –is what has caused the Obama administration to demand that Congress amend the Patriot Act to vest them with the power to obtain all of that with no judicial supervision).
But the emergence of a private market that sells this data to the Government (or, in the case of Project Vigilance, is funded in order to hand it over voluntarily) has eliminated those obstacles. As a result, the Government is able to circumvent the legal and logistical restrictions on maintaining vast dossiers on citizens, and is doing exactly that. While advertisers really only care about your online profile (IP address) in order to assess what you do and who you are, the Government wants your online activities linked to your actual name and other identifying information. As Calabrese put it: “it’s becoming incredibly easy for these companies to link your IP information to who you really are, by, for example, tracing it to your Facebook page or other footprints you leave with your identifying information.” As but one example, The Washington Post recently began automatically linking any visitors — without their knowledge or consent — to their logged-in Facebook page. The information turned over to the Government is now easily linkable — and usually linked — to the citizens’ actual identity.
An incredibly prescient 2004 Report from the ACLU documented the flourishing problem back then. This was its title: